【摘要】：網(wǎng)絡(luò)安全是信息學(xué)中不可分割的組成部分,而木馬的分析和檢測技術(shù)又是網(wǎng)絡(luò)安全領(lǐng)域的重中之重。如今絕大多數(shù)的計算機甚至手機都安裝了各式各樣的木馬檢測和查殺軟件。 本文主要針對Windows系統(tǒng)下的木馬分析和檢測方法作研究。而在Windows系統(tǒng)下木馬必須以PE文件形式存在,才有可能進一步的入侵計算機從而達到非法的目的。通常在木馬檢測過程中判斷PE文件是否加殼這一點不可忽視,所以文中對于PE文件的加殼檢測方法也作了一系列研究。 文中首先對國內(nèi)外木馬檢測的研究現(xiàn)狀作了詳細的介紹和分析,提出了木馬檢測的基本方法,既動態(tài)檢測和靜態(tài)檢測方法。 其次文中詳細的介紹了PE文件的組織結(jié)構(gòu),分析方法和區(qū)塊特性。為進一步的從PE文件中提取各類有效信息和分類特征做準備。 接著介紹了一種識別加殼PE文件的方法,此方法主要基于計算PE文件特定屬性的明可夫斯基距離。因為在特定的一些屬性特征上加殼PE文件與非加殼的PE文件有著顯著的區(qū)別。實驗結(jié)果表明此方法能有效的檢測加殼PE文件。 最后文中提出了一種基于C5.0決策樹算法的木馬靜態(tài)檢測方法,該算法以從PE文件中提取出的各種屬性作為分類特征,并結(jié)合了高效的boosting算法。而對PE文件首先用PEid軟件進行去殼操作,再進行進一步處理以提高性能指標(biāo)。實驗結(jié)果表明此方法在不少方面都取得了一定的進步。
[Abstract]:Network security is an integral part of informatics, and the analysis and detection technology of Trojan horse is the most important in the field of network security. Today, most computers and even mobile phones are equipped with a variety of Trojan detection and kill software. This paper mainly focuses on the analysis and detection methods of Trojan horse under Windows system. In Windows system, the Trojan horse must exist in the form of PE file in order to further invade the computer to achieve the illegal purpose. It can not be ignored to judge whether the PE file is shell or not in the detection process of Trojan horse, so a series of research on the method of shell detection of PE file is also made in this paper. In this paper, the current situation of Trojan horse detection at home and abroad is introduced and analyzed in detail, and the basic method of Trojan horse detection is put forward, that is, dynamic detection and static detection. Secondly, the organization structure, analysis method and block characteristics of PE file are introduced in detail. For the further extraction of all kinds of valid information and classification features from PE files. Then a method to identify the PE file is introduced, which is mainly based on the Minkowski distance of the specific attributes of the PE file. Because there are significant differences between PE files and non-hulled PE files on certain attribute characteristics. Experimental results show that this method can effectively detect PE files. In the end, a method of static Trojan detection based on C5.0 decision tree algorithm is proposed. The algorithm takes various attributes extracted from PE file as classification features and combines efficient boosting algorithm. The PE file is firstly de-hulled with PEid software, and then further processed to improve the performance index. The experimental results show that this method has made some progress in many aspects.
【學(xué)位授予單位】：廣西大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前10條

1 丁姍;;淺談木馬文件特征碼的定位[J];河南紡織高等�？茖W(xué)校學(xué)報;2007年02期

2 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計算機研究與發(fā)展;2011年08期

3 楊平;羅紅;喬向東;;Windows Rootkit隱藏技術(shù)研究[J];計算機與信息技術(shù);2009年03期

4 顏會娟;秦杰;;基于非線性SVM模型的木馬檢測方法[J];計算機工程;2011年08期

5 嵇海明,楊宗源;PE文件格式剖析[J];計算機應(yīng)用研究;2004年03期

6 楊彥;黃皓;;基于攻擊樹的木馬檢測方法[J];計算機工程與設(shè)計;2008年11期

7 張新宇,卿斯?jié)h,馬恒太,張楠,孫淑華,蔣建春;特洛伊木馬隱藏技術(shù)研究[J];通信學(xué)報;2004年07期

8 李軍麗;;特洛伊木馬病毒的隱藏技術(shù)[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2008年01期

9 雷校勇;黃小平;;Windows RootKit技術(shù)原理及防御策略[J];微型電腦應(yīng)用;2006年07期

10 彭國軍;王泰格;邵玉如;劉夢冷;;基于網(wǎng)絡(luò)流量特征的未知木馬檢測技術(shù)及其實現(xiàn)[J];信息網(wǎng)絡(luò)安全;2012年10期

，

本文編號：2142802